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CCNA Security Lab 3 - Cisco Context-based Access Control - CLI 

Lab 3 


Context-Based Access Control 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how 
implement the Cisco Context-based Access Control. 

Lab Purpose: 

CBAC intelligently filters TCP and UDP packets based on application-layer 
protocol session information. You can configure CBAC to permit specified TCP and 
UDP traffic through a firewall only when the connection is initiated from within 
the network you want to protect. CBAC can inspect traffic for sessions that 
originate from either side of the firewall, and CBAC can be used for intranet, 
extranet, and Internet perimeters of your network. 

Lab Difficulty: 

This lab has a difficulty rating of 7/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use the following topology to complete this lab exercise: 



Lab 3 Configuration Tasks 
Task 1: 

Configure the hostnames and IP addresses on R3 and R4 as illustrated in the 
network diagram. Configure R4 to send R3 clocking information at a rate of 
768Kbps. Ping between R3 and R4 to verify your configuration and ensure that the 
two routers have IP connectivity. 

Task 2: 

Configure Host 1 with the IP address illustrated in the diagram and a default 
gateway of the EthernetO/O interface of R3, which is 172.16.1.3. 


NOTE: 












If you do not have a Host in your lab, you can simply substitute Host 1 for another router with an Ethernet 
interface and a default static route pointing to 172.16.1.3. 


Task 3: 

Configure R4 with a default static route pointing to R3. Configure the username cisco with a password of cisco and 
privilege level of 15 on R4. Finally, configure R4 to allow Telnet and HTTP access while authenticating using the local 
database. 

Verify that Host 1 and R4 can ping each other and have complete network connectivity. 

Task 4: 

Configure CBAC on R3 as follows: 

Use the name MY-CBAC for the inspection policy 
Configure CBAC to inspect ICMP traffic 
Configure CBAC to inspect TCP traffic 
Configure CBAC to inspect HTTP traffic 
Use ACL 150 for CBAC and explicitly deny all traffic 

The Ethernet0/0 interface of R3 should be considered the private/trusted interface 
The Serial0/0 interface of R3 should be considered the public/untrusted interface 

Task 5: 

Test your configuration as follows: 

Ping from Host 1 to R4 and verify that CBAC works as configured 
Telnet from Host 1 to R4 and verify that CBAC works as configured 


Lab 3 Configuration and Verification 
Task 1: 

Router(config)#hostname R3 

R3(config)#interface ethernetO/O 
R3(config-if)#ip address 172.16.1.3 255.255.255.0 

R3(config-if)#no shutdown 
R3(config-if)#exit 

R3(config)#interface seriaiO/O 
R3(config-if)#ip address 10.1.1.3 255.255.255.0 

R3(config-if)#no shutdown 

R3(config-if)#exit 

R3(config)#exit 

R3# 


Router(config)#hostname R4 

R4(config)#interface serialO/O 
R4(config-if)#ip address 10.1.1.4 255.255.255.0 
R4(config-if)#clock rate 768000 

R4(config-if)#no shut 

R4(config-if)#exit 

R4(config)#exit 



R4# 


R4#ping 10.1.1.3 


Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: 

!!!!! 

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 

Task 2: 



Task 3: 

R4(config)#ip route 0.0.0.0 0.0.0.0 serial0/0 
R4(config)#username cisco privilege 15 secret cisco 
R4(config)#ip http server 
R4(config)#ip http authentication local 

R4(config)#line vty 0 4 

R4(config-line)#login local 

R4(config-line)#exit 

R4(config)#exit 

R4# 


<=' Command Prompt 


C:\>ping 10.1.1.4 

Pinging 10.1.1.4 with 32 bytes of data: 

Reply fron 10.1.1.4: bytes=32 tine=3ns TTL=254 
Reply fron 10.1.1.4: bytes=32 tine=3ns TTL=254 
Reply fron 10.1.1.4: bytes=32 tine=3ns TTL=254 
Reply fron 10.1.1.4: bytes=32 tine=3ns TTL=254 


[Ping statistics for 10.1.1.4: 













Packets: Sent = 4, Received = 4, Lost ■ 0 <0 v. loss), 
Approximate round trip tines in milli-seconds: 

Miniruin = 3ms, Maximum = 3ms, Average = 3ms 

C:\> 


Task 4: 

R3(config)#ip inspect name MY-CBAC icmp 
R3(config)#ip inspect name MY-CBAC tcp 
R3(config)#ip inspect name MY-CBAC http 
R3(config)#access-list 150 deny ip any any 

R3(config)#int eO/O 

R3(config-if)#ip inspect MY-CBAC in 

R3(config-if)#ip access-group 150 out 

R3(config-if)#exit 

R3(config)#int s0/0 

R3(config-if)#ip access-group 150 in 

R3(config-if)#ip inspect MY-CBAC out 

R3(config-if)#exit 

R3(config)#exit 

R3# 

Task 5: 


Command Prompt 


BED 


K:\>ping 10.1.1.4 


Pinging 10.1.1.4 with 32 bytes of data: 




Reply from 10.1.1.4: bytes-32 time a 3ms TTL=254 
Reply from 10.1.1.4: bytes a 32 time a 3ms TTL=254 
Reply from 10.1.1.4: bytes a 32 time=3ms TTL=254 
Reply from 10.1.1.4: bytes=32 time=3ms TTL=254 


Ping statistics for 10.1.1.4: 

Packets: Sent = 4, Received = 4, Lost = 0 <0x loss), 
(Approximate round trip times in milli-seconds: 

Minimum = 3ms, Maximum = 3ms, Average = 3ms 


C:\) 


R3#show ip inspect sessions detail 








Established Sessions 


Session 646642E0 (172.16.1.254:8)=>(10.1.1.4:0) icmp SIS_OPEN 

Created 00:00:09, Last heard 00:00:06 

ECHO request 

Bytes sent (initiator:responder) [128:128] 

Out SID 10.1.1.4[0:0] = >172.16.1.254[0:0] on ACL 150 

In SID 10.1.1.4[0:0]=>172.16.1.254[0:0] on ACL 150 (4 matches) 

Out SID 0.0.0.0[0:0]=>172.16,1.254[3:3] on ACL 150 
In SID 0.0.0.0[0:0] = >172.16.1.254[3:3] on ACL 150 
Out SID 0.0.0.0[0:0]=>172.16.1.254[11:11] on ACL 150 
In SID 0.0.0.0[0:0] = >172.16.1.254[11:11] on ACL 150 


c' Telnet 10.1.1.4 


User Access Uerification 

Usernane: cisco 
Password: 

R4tt 


R3#show ip inspect sessions detail 

Established Sessions 

Session 646642E0 (172.16.1.254:2075) = >(10.1.1.4:23) tcp SIS_OPEN 

Created 00:00:07, Last heard 00:00:04 
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Out SID 10.1.1.4[23:23] = >172.16.1.254[2075:2075] on ACL 150 

In SID 10.1.1.4[23:23] = >172.16.1.254[2075:2075] on ACL 150 (16 matches) 

Lab 3 Configurations 
R3 Configuration 

R3#show run 
Building configuration... 

Current configuration : 1019 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R3 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 

no logging console 
! 

no aaa new-model 
! 

! 

ip cef 
! 

! 

ip inspect name MY-CBAC icmp 
ip inspect name MY-CBAC tcp 
ip inspect name MY-CBAC http 
ip auth-proxy max-nodata-conns 3 
ip admission max-nodata-conns 3 
! 

! 

! 

! 

! 



interface EthernetO/O 
ip address 172.16.1.3 255.255.255.0 
ip access-group 150 out 
ip inspect MY-CBAC in 
full-duplex 
! 

interface Serial0/0 
ip address 10.1.1.3 255.255.255.0 
ip access-group 150 in 
ip inspect MY-CBAC out 
! 

interface Ethernet0/1 
no ip address 
shutdown 

half-duplex 

! 

ip http server 
ip http authentication local 
ip http secure-server 
! 

ip forward-protocol nd 
! 

! 

access-list 150 deny ip any any 


control-plane 







line con 0 


line aux 0 
line vty 0 4 
password cisco 
login local 
! 

! 

end 

R4 Configuration 

R4#show run 
Building configuration... 

Current configuration : 876 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R4 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 

no logging console 
! 

no aaa new-model 
! 

! 

ip cef 
! 

! 

ip auth-proxy max-nodata-conns 3 
ip admission max-nodata-conns 3 
! 

! 

! 

! 



! 

! 

username cisco privilege 15 secret 5 $l$5xfY$qduHuWEcucGng94cEg6q7/ 
! 

! 

! 

! 

! 

! 

! 

interface EthernetO/O 
no ip address 
full-duplex 
! 

interface SerialO/O 
ip address 10.1.1.4 255.255.255.0 
clock rate 768000 
no fair-queue 
! 

interface EthernetO/1 
no ip address 
shutdown 
half-duplex 
! 

ip http server 
ip http authentication local 
no ip http secure-server 
! 

ip forward-protocoI nd 
ip route 0.0.0.0 0.0.0.0 SerialO/O 
! 

! 

! 

! 

! 


control-plane 



line con 0 


line aux 0 
line vty 0 4 
login local 
! 

! 

end 
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